You are previewing Inside Network Perimeter Security, Second Edition.
O'Reilly logo
Inside Network Perimeter Security, Second Edition

Book Description

Security professionals and administrators now have access to one of the most valuable resources for learning best practices for network perimeter security. Inside Network Perimeter Security, Second Edition is your guide to preventing network intrusions and defending against any intrusions that do manage to slip through your perimeter. This acclaimed resource has been updated to reflect changes in the security landscape, both in terms of vulnerabilities and defensive tools. Coverage also includes intrusion prevention systems and wireless security. You will work your way through fortifying the perimeter, designing a secure network, and maintaining and monitoring the security of the network. Additionally, discussion of tools such as firewalls, virtual private networks, routers and intrusion detection systems make Inside Network Perimeter Security, Second Edition a valuable resource for both security professionals and GIAC Certified Firewall Analyst certification exam candidates.

Table of Contents

  1. Copyright
  2. About the Authors
  3. About the Technical Editors
  4. Acknowledgments
  5. We Want to Hear from You!
  6. Reader Services
  7. Preface
    1. Rickety Planes
    2. Fires in the West
    3. Rapid Advances in Technology
    4. Decline in Personal Service
    5. Continuous Inspections
    6. Defense in Depth
    7. Core Business Sector
  8. Introduction
    1. Who Should Read This Book
    2. Why We Created This Book's Second Edition
    3. Overview of the Book's Contents
    4. Conventions
  9. I. The Essentials of Network Perimeter Security
    1. 1. Perimeter Security Fundamentals
      1. Terms of the Trade
        1. The Perimeter
        2. Border Routers
        3. Firewalls
        4. Intrusion Detection Systems
        5. Intrusion Prevention Systems
        6. Virtual Private Networks
        7. Software Architecture
        8. De-Militarized Zones and Screened Subnets
      2. Defense in Depth
        1. Components of Defense in Depth
          1. The Perimeter
          2. The Internal Network
          3. The Human Factor
      3. Case Study: Defense in Depth in Action
      4. Summary
    2. 2. Packet Filtering
      1. TCP/IP Primer: How Packet Filtering Works
      2. TCP and UDP Ports
      3. TCP's Three-way Handshake
      4. The Cisco Router as a Packet Filter
      5. An Alternative Packet Filter: IPChains
      6. The Cisco ACL
        1. Rule Order
        2. Cisco IOS Basics
      7. Effective Uses of Packet-Filtering Devices
        1. Filtering Based on Source Address: The Cisco Standard ACL
          1. Blacklisting: The Blocking of Specific Addresses
          2. “Friendly Net”: Allowing Specific Addresses
          3. Ingress Filtering
      8. Egress Filtering
      9. Tracking Rejected Traffic
        1. Filtering by Port and Destination Address: The Cisco Extended ACL
        2. The Cisco Extended ACL
          1. “Friendly Net” Revisited
          2. Filtering TCP and UDP Ports and ICMP Types
      10. Problems with Packet Filters
        1. Spoofing and Source Routing
        2. Fragments
        3. Opening a “Hole” in a Static Packet Filter
        4. Two-way Traffic and the established Keyword
          1. The established Keyword and the Problem of DNS
        5. Protocol Problems: Extended Access Lists and FTP
      11. Dynamic Packet Filtering and the Reflexive Access List
        1. FTP Problems Revisited with the Reflexive Access List
        2. Reflexive ACLs with UDP and ICMP Traffic: Clearing Up DNS Issues
        3. Trouble in Paradise: Problems with Reflexive Access Lists
        4. Cisco IPv6 Access Lists
      12. Summary
      13. References
        1. Bibliography
    3. 3. Stateful Firewalls
      1. How a Stateful Firewall Works
      2. The Concept of State
        1. Transport and Network Protocols and State
          1. TCP and State
          2. UDP and State
          3. ICMP and State
        2. Application-Level Traffic and State
          1. HTTP and State
          2. File Transfer Protocol and State
          3. Multimedia Protocols and the Stateful Firewall
          4. Problems with Application-Level Inspection
          5. Deep Packet Inspection
      3. Stateful Filtering and Stateful Inspection
        1. Stateful Firewall Product Examples
          1. Netfilter/IPTables
          2. Check Point FireWall-1
          3. The Cisco PIX Firewall
      4. Summary
      5. References
        1. Bibliography
    4. 4. Proxy Firewalls
      1. Fundamentals of Proxying
      2. Pros and Cons of Proxy Firewalls
        1. Advantages of Proxy Firewalls
        2. Disadvantages of Proxy Firewalls
      3. Types of Proxies
        1. Web Proxies
        2. Reverse Proxies
        3. Anonymizing Proxies
      4. Tools for Proxying
        1. Firewall Toolkit (FWTK)
        2. SOCKS
          1. SOCKS Version 4
          2. SOCKS Version 5
        3. Squid
      5. Summary
    5. 5. Security Policy
      1. Firewalls Are Policy
        1. Active Policy Enforcement
        2. Unenforceable Policy
          1. The Effect of Unenforceable Policy
          2. Vectors for Unenforceable Policy
            1. Unwittingly Coding Unenforceable Policy
            2. No Up-front Policy
            3. TCP Port 80
            4. Email
            5. Very Large, Very High-Latency Packets
            6. Backdoors
      2. How to Develop Policy
        1. Identify Risks
        2. Communicate Your Findings
        3. Create or Update the Security Policy as Needed
        4. Determine Policy Compliance
        5. Sound Out the Organization's Rules and Culture
          1. Comparing Policy and Culture
            1. Written Policy
            2. Directives
            3. Contracts and Human Resources Rulings
          2. Unwritten Policy
        6. Elements of Policy
          1. Authority
          2. Scope
          3. Expiration
        7. Hallmarks of Good Policy
          1. Specificity and Clarity
          2. Conciseness
          3. Realism
      3. Perimeter Considerations
        1. Real-world Operations and Policy
          1. Presumption of Privacy
          2. Email Handling
          3. Incident Handling: Preparation to Containment
          4. Incident Handling: Eradication to Lessons Learned
        2. Rules of the Road
      4. Summary
      5. References
        1. Bibliography
  10. II. Fortifying the Security Perimeter
    1. 6. The Role of a Router
      1. The Router as a Perimeter Device
        1. Routing
        2. Secure Dynamic Routing
          1. Route Authentication
          2. Other Dynamic Routing Defenses
      2. The Router as a Security Device
        1. The Router as a Part of Defense in Depth
          1. Packet Filtering
          2. Network-Based Application Recognition (NBAR)
        2. The Router as a Lone Perimeter Security Solution
          1. Router Placement
          2. Technology Choices
      3. Router Hardening
        1. Operating System
        2. Locking Down Administration Points
          1. Telnet
        3. SSH
        4. The Console Port
        5. TFTP and FTP
        6. Configuration Management Tricks with TFTP and Scripts
        7. Simple Network Management Protocol
          1. Authentication and Passwords
          2. Disabling Servers
        8. Disable Unneeded Services
          1. Small Services
          2. Cisco Discovery Protocol
          3. Finger
          4. PAD Service
          5. Proxy-ARP
        9. Configure NTP and NTP Authentication
        10. Cisco TCP Keepalives Services
        11. Unicast Reverse Path Forwarding
        12. Internet Control Message Protocol Blocking
          1. Unreachables
          2. Directed Broadcasts
          3. Redirects
        13. Spoofing and Source Routing
        14. Router Logging
        15. Automatic Securing and Auditing of Cisco Routers
          1. Securing Your Router with Cisco's Auto Secure Feature
          2. Auditing Your Router with the Router Audit Tool (RAT)
      4. Summary
    2. 7. Virtual Private Networks
      1. VPN Basics
        1. Basic VPN Methodology
          1. What Is Tunneling?
          2. Packet-Level View of Tunneling
      2. Advantages and Disadvantages of VPNs
        1. Benefits of a VPN
          1. Security
          2. Deployment Advantages
          3. Cost Effectiveness
        2. Disadvantages of VPN
          1. Processing Overhead
          2. Packet Overhead
          3. Implementation Issues
          4. Troubleshooting and Control Issues
          5. Internet Availability Issues
      3. IPSec Basics
        1. IPSec Protocol Suite
          1. SA
          2. IPSec Tunnel and Transport Modes
        2. IKE
          1. IKE Phase 1
          2. Annotated IKE Phase 1 Example
          3. IKE Phase 2
          4. Annotated IKE Phase 2 Example
        3. IPSec Security Protocols AH and ESP
          1. AH Protocol
          2. ESP
          3. Combined Use of ESP and AH
        4. IPSec Configuration Examples
          1. Cisco Router VPN Examples
          2. Windows XP IPSec Configuration Example
      4. Other VPN Protocols: PPTP and L2TP
        1. PPTP
        2. L2TP
        3. Comparison of PPTP, L2TP, and IPSec
        4. PPTP and L2TP Examples
          1. Client Windows XP Setup
          2. Cisco PIX VPDN Setup for PPTP Traffic
      5. Summary
      6. References
        1. Bibliography
    3. 8. Network Intrusion Detection
      1. Network Intrusion Detection Basics
        1. The Need for Intrusion Detection
        2. Anomaly Detection
        3. Signature Detection
          1. How Signatures Work
        4. False Positives and False Negatives
          1. Developing Signatures That Minimize False Positives and Negatives
          2. Detecting IDS Evasion Techniques
          3. Avoiding Unwanted Alerts
        5. Alerting, Logging, and Reporting
        6. Intrusion Detection Software
        7. Intrusion-Related Services
          1. Distributed IDS Services
          2. Outsourced Intrusion Detection System Monitoring
      2. The Roles of Network IDS in a Perimeter Defense
        1. Identifying Weaknesses
          1. Security Auditing
          2. Policy Violations
        2. Detecting Attacks from Your Own Hosts
        3. Incident Handling and Forensics
        4. Complementing Other Defense Components
      3. IDS Sensor Placement
        1. Deploying Multiple Network Sensors
        2. Placing Sensors Near Filtering Devices
        3. Placing IDS Sensors on the Internal Network
        4. Working with Encryption
        5. Processing in High-traffic Situations
        6. Configuring Switches
        7. Using an IDS Management Network
        8. Maintaining Sensor Security
      4. Case Studies
        1. Case Study 1: Simple Network Infrastructure
          1. IDS Deployment Recommendations
        2. Case Study 2: Multiple External Access Points
          1. IDS Deployment Recommendations
        3. Case Study 3: Unrestricted Environment
          1. IDS Deployment Recommendations
      5. Summary
    4. 9. Host Hardening
      1. The Need for Host Hardening
      2. Removing or Disabling of Unnecessary Programs
        1. Controlling Network Services
          1. Resource-Sharing Services
          2. Remote Access Services
          3. Information Leakage
        2. Removing Extraneous Software Components
      3. Limiting Access to Data and Configuration Files
      4. Controlling User and Privileges
        1. Managing Unattended Accounts
        2. Protecting Administrative Accounts
        3. Enforcing Strong Passwords
        4. Controlling Group Membership
      5. Maintaining Host Security Logs
        1. Windows Logging and Auditing
        2. UNIX Logging and Auditing
      6. Applying Patches
      7. Additional Hardening Guidelines
        1. Automating Host-Hardening Steps
        2. Common Security Vulnerabilities
        3. Hardening Checklists
      8. Summary
    5. 10. Host Defense Components
      1. Hosts and the Perimeter
        1. Workstation Considerations
        2. Server Considerations
      2. Antivirus Software
        1. Strengths of Antivirus Software
        2. Limitations of Antivirus Software
      3. Host-Based Firewalls
        1. Firewalls for Workstations
        2. Firewalls for Servers
          1. PF
          2. Packet Filtering via IPSec on Windows
      4. Host-Based Intrusion Detection
        1. The Role of Host-Based IDS
        2. Host-Based IDS Categories
          1. Checking the File System's Integrity
          2. Network Connection Monitors
          3. Log File Monitors
      5. Challenges of Host Defense Components
        1. Defense Components on Compromised Hosts
        2. Controlling Distributed Host Defense Components
      6. Summary
      7. References
        1. Bibliography
    6. 11. Intrusion Prevention Systems
      1. Rapid Changes in the Marketplace
      2. What Is IPS?
        1. An IPS Must Be Fast
        2. An IPS Must Keep State
        3. An IPS Must Be Accurate and Up to Date
        4. An IPS Must Have the Ability to Nullify an Attack
      3. IPS Limitations
        1. An Excuse to Ignore Sound Practice
        2. An IPS Simply Buys You Time
      4. NIPS
        1. How Chokepoint NIPS Work
          1. Firewall Plus Something
            1. Check Point FireWall-1 NG
            2. modwall
          2. IDS Plus Something
            1. IntruShield
            2. NFR Sentivist
            3. HogWash and Snort-Inline
            4. LaBrea Technologies Sentry
        2. Switch-Type NIPS
          1. Protocol Scrubbing, Rate Limiting, and Policy Enforcement
          2. Environmental Anomaly Analysis
          3. NIPS Challenges
            1. Detection Capabilities and Evasion Resistance
            2. Stability Demands
            3. Throughput Demands
            4. Latency Requirements
            5. Security
            6. Passive Analysis
            7. Increased Security Intelligence in the Switch Products
          4. TippingPoint's UnityOne IPS
          5. TopLayer Attack Mitigator
        3. Switch NIPS Deployment Recommendations
          1. Begin Budgeting Now
          2. Review Products in Report-Only Mode
          3. Work with Vendors Identifying Test Procedures for False Positives and False Negatives
          4. Be Wary of Absence of Auto-Update Mechanisms
          5. Be Wary of Auto-Update Mechanisms
          6. Document a Change-Management Mechanism
          7. Expect the NIPS to Be Blamed for All Problems
          8. Use a Combination of NIPS and NIDS Where Appropriate
      5. Host-Based Intrusion Prevention Systems
        1. Real-world Defense Scenarios
        2. Dynamic Rule Creation for Custom Applications
        3. Monitoring File Integrity
        4. Monitoring Application Behavior
        5. HIPS Advantages
        6. HIPS Challenges
        7. More HIPS Challenges
        8. HIPS Recommendations
          1. Document Requirements and Testing Procedures
          2. Develop a Centrally Managed Policy for Controlling Updates
          3. Don't Blindly Install Software Updates
          4. Don't Rely Solely on HIPS to Protect Systems
          5. Expect Your HIPS to Come Under Attack
      6. Summary
  11. III. Designing a Secure Network Perimeter
    1. 12. Fundamentals of Secure Perimeter Design
      1. Gathering Design Requirements
        1. Determining Which Resources to Protect
          1. Servers
          2. Workstations
          3. Networking Gear
          4. Modems
          5. Other Devices
        2. Determining Who the Potential Attackers Are
          1. Determined Outsider
          2. Determined Insider
          3. Script Kiddy
          4. Automated Malicious Agents
        3. Defining Your Business Requirements
          1. Cost
          2. Business-Related Services
          3. Performance
            1. Inline Security Devices
            2. The Use of Encryption
            3. Detailed Logging
          4. Fault Tolerance
            1. Intrasystem Redundancy
            2. Intrasite Redundancy
              1. Firewall Redundancy
              2. Switch Redundancy
            3. Geographic Redundancy
      2. Design Elements for Perimeter Security
        1. Firewall and Router
          1. Basic Filtering
          2. Access Control
          3. Router Under the ISP's Control
          4. Router Without the Firewall
        2. Firewall and VPN
          1. Firewall with VPN as External Device
          2. Firewall and VPN in One System
        3. Multiple Firewalls
          1. Inline Firewalls
          2. Firewalls in Parallel
      3. Summary
      4. References
        1. Bibliography
    2. 13. Separating Resources
      1. Security Zones
        1. A Single Subnet
          1. Security Zones Within a Server
          2. Security Zones via Dedicated Servers
        2. Multiple Subnets
          1. Broadcast Domains
          2. Security Zones via Subnets
      2. Common Design Elements
        1. Mail Relay
          1. Justifying Mail Server Separation
          2. Implementing a Mail Relay
        2. Split DNS
          1. Justifying DNS Server Separation
          2. DNS Spoofing Attacks
          3. Implementing Split DNS
        3. Client Separation
          1. LAN-Connected Desktops
          2. Wandering Laptops, VPN and Dialup Users
          3. The Wireless Client
      3. VLAN-Based Separation
        1. VLAN Boundaries
        2. Jumping Across VLANs
        3. Firewalls and VLANs
        4. Private VLANs
      4. Summary
      5. References
        1. Bibliography
    3. 14. Wireless Network Security
      1. 802.11 Fundamentals
      2. Securing Wireless Networks
        1. Network Design
          1. Separation via Network Control Mechanisms
          2. Protecting Against Signal Leakage
          3. Defending Against Wireless Denial of Service (DoS)
        2. Wireless Encryption
          1. Wired Equivalent Privacy (WEP)
          2. Extensible Authentication Protocols: PEAP/LEAP/EAP-TLS
          3. Wi-Fi Protected Access (WPA)
        3. Hardening Access Points
          1. Disabling SSID Broadcasts
          2. MAC Address Lockdown
          3. Miscellaneous AP Hardening
        4. Defense in Depth for Wireless Networks
          1. VPN/IPSec
          2. Host Defenses
      3. Auditing Wireless Security
        1. Auditing the Wireless Network Design
          1. Auditing Network Controls
          2. Auditing Signal Leakage
        2. Auditing Encryption
      4. Case Study: Effective Wireless Architecture
      5. Summary
      6. References
        1. Bibliography
    4. 15. Software Architecture
      1. Software Architecture and Network Defense
        1. The Importance of Software Architecture
        2. The Need to Evaluate Application Security
      2. How Software Architecture Affects Network Defense
        1. Firewall and Packet-Filtering Changes
        2. Web Services and Interapplication Communications
        3. Conflicts with Network Configuration
        4. Encrypting Connections
        5. Performance and Reliability
        6. Atypical Operating System
      3. Software Component Placement
        1. Single-System Applications
        2. Multitier Applications
        3. Administrator Access to Systems
          1. User-Unfriendly Security
          2. External Administrative Access to Applications
        4. Applications for Internal Users Only
      4. Identifying Potential Software Architecture Issues
        1. Software Evaluation Checklist
        2. Sources of Application Information
        3. How to Handle an Unsecurable Application
      5. Software Testing
        1. Host Security
        2. Network Configuration and Security
      6. Network Defense Design Recommendations
      7. Case Study: Customer Feedback System
        1. Deployment Locations
        2. Architecture Recommendation
      8. Case Study: Web-Based Online Billing Application
        1. Deployment Locations
          1. Web Interface on Existing Screened Subnet
          2. Web Interface and Application on the Same Screened Subnet
          3. All Components on the Internal Network
        2. Architecture Recommendation
      9. Summary
      10. References
        1. Bibliography
    5. 16. VPN Integration
      1. Secure Shell
        1. Standard SSH Connections
          1. SSH Client Integration
          2. SSH Server Integration
          3. SSH Perimeter Defense Adjustments
          4. When to Use Standard SSH Connections
        2. SSH Tunnels
          1. SSH Tunnel Client Integration
          2. SSH Tunnel Server Integration
          3. SSH Tunnel Perimeter Defense Adjustments
          4. When to Use SSH Tunnels
      2. Secure Sockets Layer
        1. SSL Standard Connections
          1. SSL Client Integration
          2. SSL Server Integration
          3. SSL Perimeter Defense Adjustments
          4. When to Use SSL
        2. SSL Tunnels
          1. SSL Tunnel Perimeter Defense Adjustments
          2. When to Use SSL Tunnels
        3. SSL Proxy Servers
          1. SSL Proxy Server Perimeter Defense Adjustments
          2. When to Use SSL Proxy Servers
      3. Remote Desktop Solutions
        1. Single Session
          1. Single-Session Remote Desktop Client Integration
          2. Single-Session Remote Desktop Server Integration
          3. Single-Session Remote Desktop Perimeter Defense Adjustments
          4. When to Use Single-Session Remote Desktop Software
        2. Multiple Session
          1. Multiple Remote Desktop Client Integration
          2. Multiple Remote Desktop Server Integration
          3. Multiple Remote Desktop Perimeter Defense Adjustments
          4. When to Use Terminal Server Software
      4. IPSec
        1. IPSec Client Integration
        2. IPSec Server Integration
        3. IPSec Perimeter Defense Adjustments
        4. IPSec Architectures
      5. Other VPN Considerations
        1. Proprietary VPN Implementations
        2. Compromised or Malicious VPN Clients
      6. VPN Design Case Study
        1. Case Study: Home Users and Multiple Applications
          1. Terminal Server
          2. IPSec
          3. SSL-Enabled Applications
          4. Case Study Conclusion
      7. Summary
      8. References
        1. Bibliography
    6. 17. Tuning the Design for Performance
      1. Performance and Security
        1. Defining Performance
          1. Network Bandwidth and Latency
          2. Response Time
          3. Throughput
        2. Understanding the Importance of Performance in Security
      2. Network Security Design Elements That Impact Performance
        1. The Performance Impacts of Network Filters
          1. Packet Filters
          2. Stateful Firewalls
          3. Proxy Firewalls
          4. Content Filters
        2. Network Architecture
          1. Broadcast Domains
          2. WAN Links
          3. TCP/IP Tuning
          4. Routing Protocols: RIP Versus OSPF
        3. Case Studies to Illustrate the Performance Impact of Network Security Design Elements
          1. Case Study 1: Two Networks Connected Using 128K ISDN
          2. Case Study 2: Satellite-Based Network
      3. Impact of Encryption
        1. Cryptographic Services
        2. Understanding Encryption at the Network and Transport Layers
          1. Network Layer Cryptography
          2. Transport Layer Security (TLS)
        3. Using Hardware Accelerators to Improve Performance
        4. Case Studies to Illustrate the Performance Impact of Encryption
          1. Case Study 3: Link Encrypting Between Two Routers
          2. Case Study 4: SSL Web Server
      4. Using Load Balancing to Improve Performance
        1. Problems with Load Balancing
        2. Layer 4 Dispatchers
        3. Layer 7 Dispatchers
      5. Mitigating the Effects of DoS Attacks
        1. ICMP Flooding
        2. SYN Flooding
      6. Summary
      7. References
        1. Bibliography
    7. 18. Sample Designs
      1. Review of Security Design Criteria
      2. Case Studies
        1. Case Study 1: Telecommuter Who Is Using a Broadband Connection
        2. Case Study 2: A Small Business That Has a Basic Internet Presence
        3. Case Study 3: A Small E-Commerce Site
        4. Case Study 4: A Complex E-Commerce Site
          1. The Internet
          2. The DMZ
          3. The Proxy Layer
          4. The Internal Network
          5. The Security Network
      3. Summary
  12. IV. Maintaining and Monitoring Perimeter Security
    1. 19. Maintaining a Security Perimeter
      1. System and Network Monitoring
        1. Big Brother Fundamentals
        2. Establishing Monitoring Procedures
          1. Hosts and Devices
          2. Accessibility of Network Services
          3. Local System Attributes
        3. Security Considerations for Remote Monitoring
      2. Incident Response
        1. Notification Options
        2. General Response Guidelines
        3. Responding to Malicious Incidents
        4. Automating Event Responses
      3. Accommodating Change
        1. Fundamentals of Change Management
          1. Obtaining Buy-in from Relevant Personnel
          2. Communicating Proposed Changes
          3. Preventing and Detecting Unauthorized Changes
          4. Testing Changes Before Deployment
          5. Verifying Proper System Operation
          6. Rolling Back Undesired Changes
        2. Implementing Change-Management Controls
          1. Applying Patches
          2. Discovering New Services and Devices
      4. Summary
      5. References
        1. Bibliography
    2. 20. Network Log Analysis
      1. The Importance of Network Log Files
        1. Characteristics of Log Files
          1. Information That Log Files Usually Record
          2. Information That Log Files Sometimes Record
          3. Information That Log Files Rarely Record
        2. Purposes of Log Files
          1. Incident Handling
          2. Intrusion Detection
          3. Event Correlation
          4. General Troubleshooting
      2. Log Analysis Basics
        1. Getting Started with Log Analysis
        2. Automating Log Analysis
          1. Getting the Right Data from Log Files
          2. Designing Reports
          3. Using a Third-Party Analysis Product
        3. Timestamps
      3. Analyzing Router Logs
        1. Cisco Router Logs
        2. Other Router Logs
      4. Analyzing Network Firewall Logs
        1. Cisco PIX Logs
        2. Check Point FireWall-1 Logs
        3. IPTables Logs
      5. Analyzing Host-Based Firewall and IDS Logs
        1. ZoneAlarm
        2. Norton Personal Firewall
      6. Summary
    3. 21. Troubleshooting Defense Components
      1. The Process of Troubleshooting
        1. Collecting Symptoms
        2. Reviewing Recent Changes
        3. Forming a Hypothesis
        4. Testing the Hypothesis
        5. Analyzing the Results
        6. Repeating If Necessary
      2. Troubleshooting Rules of Thumb
        1. Make Only One Change at a Time
        2. Keep an Open Mind
        3. Get a Second Opinion
        4. Stay Focused on Fixing the Problem
        5. Don't Implement a Fix That Further Compromises Your Security
        6. The Obvious Problems Are Often Overlooked
        7. Document, Document, Document!
      3. The Troubleshooter's Toolbox
        1. Application Layer Troubleshooting
          1. Nslookup
          2. System Call Trace Utilities
        2. Other Useful Utilities
          1. Troubleshooting Check Point FireWall-1 with FW Monitor
        3. Transport Layer Troubleshooting
          1. Telnet
          2. Netcat
          3. Netstat
          4. Lsof
          5. Fport and Active Ports
          6. Hping
          7. Tcpdump
          8. Revisiting the Sample Firewall Problem with Transport Layer Techniques
        4. Network Layer Troubleshooting
          1. Ifconfig and Ipconfig
          2. Netstat
          3. Ping
          4. Traceroute
          5. Tcpdump
        5. Link Layer Troubleshooting
          1. Ifconfig and Ipconfig
          2. ARP
          3. Tcpdump
          4. Revisiting the Sample Firewall Problem with Link Layer Techniques
      4. Summary
      5. References
        1. Bibliography
    4. 22. Assessment Techniques
      1. Roadmap for Assessing the Security of Your Network
      2. Planning
      3. Reconnaissance
      4. Network Service Discovery
        1. System Enumeration
          1. Network Scanners
          2. Traceroute
        2. Service Discovery
          1. Nmap
          2. Telnet and Banner Retrieval
      5. Vulnerability Discovery
        1. Nessus
        2. ISS Internet Scanner
        3. Retina
        4. LANguard
        5. Vulnerability Research
      6. Verification of Perimeter Components
        1. Preparing for the Firewall Validation
        2. Verifying Access Controls
          1. Traffic Restrictions
          2. Firewall Management
      7. Remote Access
        1. Wardialing
        2. Wardriving
        3. VPNs and Reverse Proxies
          1. Encryption
          2. Authentication
          3. Access Controls
          4. Client-Side Restrictions
      8. Exploitation
      9. Results Analysis and Documentation
      10. Summary
    5. 23. Design Under Fire
      1. The Hacker Approach to Attacking Networks
      2. Adversarial Review
      3. GIAC GCFW Student Practical Designs
        1. Practical Design 1
          1. Determining the Access That Remains: Screening Filtering Routers
            1. The Ingress Filter
            2. The Egress Filter
            3. Other Filters
          2. Protecting the Routers
          3. Determining the Impact: Routers
          4. Determining the Access That Remains: The External Firewalls
            1. Incoming
            2. Outgoing
            3. To DMZ
            4. From DMZ
          5. Determining the Impact: The External Firewalls
          6. Determining the Access That Remains: The Internal Firewalls
          7. Determining the Impact: The Internal Firewall
          8. Repeating as Necessary: Attacking the Whole Network
        2. Practical Design 2
          1. Determining the Access That Remains: The External Firewall
          2. Determining the Impact: The External Firewall
          3. Determining the Access That Remains: The Public Web Server
          4. Determining the Impact: The Public Web Server
          5. Determining the Access That Remains: The Extranet Server
          6. Determining the Impact: The Extranet Server
          7. Determining the Access That Remains: The Internal Firewall
          8. Determining the Impact: The Internal Firewall
          9. Repeating as Necessary: Attacking the Whole Network
      4. Summary
      5. References
        1. Bibliography
    6. 24. A Unified Security Perimeter: The Importance of Defense in Depth
      1. Castles: An Example of Defense-in-Depth Architecture
        1. Hard Walls and Harder Cannonballs
        2. Secret Passages
          1. Tunnels Through the Firewall
            1. SOAP (Simple Object Access Protocol)
            2. Non-RFC Approaches to HTTP Tunneling
            3. Attacking the Web Server
          2. Change in the Perimeter Configuration
          3. Insider Threats
            1. Insider Employees and Contractors
            2. Insider Programs, Spyware, and Keystroke Loggers
        3. Hiding in the Mist
          1. SYN/FIN
          2. Reconnaissance with Fragments
          3. Reconnaissance with Echo Replies
        4. Defense on the Inside
          1. Host-Centric Firewalls as Sensors
          2. Internal Firewalls/Appliances
          3. The Case for Airgaps
          4. Self-Defending Network (SDN)
      2. Absorbent Perimeters
        1. Honeypots
        2. Rate Limiting
        3. Failover
      3. Defense in Depth with Information
        1. The Problem of Diffusion
        2. Cryptography and Defense in Depth
      4. Summary
  13. V. Appendixes
    1. A. Cisco Access List Sample Configurations
      1. Complete Access List for a Private-Only Network
      2. Complete Access List for a Screened Subnet Network That Allows Public Server Internet Access
      3. Example of a Router Configuration as Generated by the Cisco Auto Secure Feature
    2. B. Crypto 101
      1. Encryption Algorithms
        1. Shared Key: Symmetric
        2. Public–Private Key: Asymmetric
        3. Digital Signatures and Hash Algorithms
      2. References
        1. Bibliography